Hi Rob,
thank you for your reply which recalls something I read (I hoped it was
only my mistake...)
HBAC services are PAM services. If the
authentication/authorization/session is going through PAM then this can
work. I have some vague memory of saslauthd and postfix using PAM.
I've tried to modify my auth chain in:
Postfix (1) -> saslauth (2) -> PAM (pam_krb5)
1) Postfix: smtpd_sasl_type = cyrus
2) saslauth:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
Il 2022-02-16 14:47 Rob Crittenden ha scritto:
> stefano.antonelli@cnaf via FreeIPA-users wrote:
>> Dear FreeIPA users
>>
>> I have a three nodes installation (version 4.6.8, CentOS 7.9.2009) and
>> I'm trying to manage users and hosts in order to allow them to send
>> emails; I've retrieved host keytab from ipa servers and configured
>> host
>> krb5.conf to ipa servers;
>>
>> I've a test user on FreeIPA (or, in future, User groups) and an smtp
>> server (postfix; or in future Host groups) and a smtp service
>> smtp/hostname@REALM
>>
>> I'd like to configure an HBAC rule in order to:
>>
>> 1) allow the group of user to send email via the smtp server
>> 2) ban the user to send email removing him/her from the user group
>>
>> but there is something that's not working, I've made two tests (user
>> in
>> User group and deleted from User group) and in both cases the user is
>> able to send email from his client (I attach the output of some ipa
>> commands)
>>
>> Beside, I've tried to add a HBAC service "smtp" (even if I do not
>> understand its real use, if its a "only" a tag) and a HBAC Service
>> group but nothing has changed. At the moment I don't realize where I'm
>> wrong even looking at some log files,
>>
>> thank you
>> cheers
>> Stefano
>>
>>
>>
>> ### 1 user-test in User Group
>> ipa hbacrule-show smtp
>> Rule name: smtp
>> Service category: all
>> Description: Regola di accesso ai server smtp
>> Enabled: TRUE
>> User Groups: smtp
>> Host Groups: smtp
>>
>> ipa user-show user-test
>> Member of groups: smtp
>> Indirect Member of HBAC rule: smtp
>>
>> ipa hbactest --user=user-test --host=host.domain --service=all
>> --------------------
>> Access granted: True
>> --------------------
>> Matched rules: smtp-cnaf
>>
>> ### 2 user-test deleted from User Group
>>
>> ipa hbactest --user=user-test --host=host.domain --service=all
>> ---------------------
>> Access granted: False
>> ---------------------
>> Not matched rules: smtp-cnaf
>
HBAC services are PAM services. If the
authentication/authorization/session is going through PAM then this can
work. I have some vague memory of saslauthd and postfix using PAM.
>
> rob